{"id":277,"date":"2015-07-14T21:04:53","date_gmt":"2015-07-14T19:04:53","guid":{"rendered":"http:\/\/blogs.gentoo.org\/ago\/?p=277"},"modified":"2016-09-07T14:37:56","modified_gmt":"2016-09-07T12:37:56","slug":"siege-off-by-one-in-load_conf","status":"publish","type":"post","link":"https:\/\/blogs.gentoo.org\/ago\/2015\/07\/14\/siege-off-by-one-in-load_conf\/","title":{"rendered":"siege: off-by-one in load_conf()"},"content":{"rendered":"

Description<\/strong>:
\nSiege<\/a> is an http load testing and benchmarking utility.<\/p>\n

During the test of a webserver, I hit a segmentation fault. I recompiled siege with ASan and it clearly show an off-by-one in load_conf()<\/em>. The issue is reproducible without passing any arguments to the binary.
\nThe complete output:<\/p>\n

ago@willoughby ~ # siege\r\n=================================================================\r\n==488==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000d7f1 at pc 0x00000051ab64 bp 0x7ffcc3d19a70 sp 0x7ffcc3d19a68\r\nREAD of size 1 at 0x60200000d7f1 thread T0\r\n#0 0x51ab63 in load_conf \/var\/tmp\/portage\/app-benchmarks\/siege-3.1.0\/work\/siege-3.1.0\/src\/init.c:263:12\r\n#1 0x515486 in init_config \/var\/tmp\/portage\/app-benchmarks\/siege-3.1.0\/work\/siege-3.1.0\/src\/init.c:96:7\r\n#2 0x5217b9 in main \/var\/tmp\/portage\/app-benchmarks\/siege-3.1.0\/work\/siege-3.1.0\/src\/main.c:324:7\r\n#3 0x7fb2b1b93aa4 in __libc_start_main \/var\/tmp\/portage\/sys-libs\/glibc-2.20-r2\/work\/glibc-2.20\/csu\/libc-start.c:289\r\n#4 0x439426 in _start (\/usr\/bin\/siege+0x439426)\r\n\r\n0x60200000d7f1 is located 0 bytes to the right of 1-byte region [0x60200000d7f0,0x60200000d7f1)\r\nallocated by thread T0 here:\r\n#0 0x4c03e2 in __interceptor_malloc \/var\/tmp\/portage\/sys-devel\/llvm-3.6.1\/work\/llvm-3.6.1.src\/projects\/compiler-rt\/lib\/asan\/asan_malloc_linux.cc:40:3\r\n#1 0x7fb2b1bf31e9 in __strdup \/var\/tmp\/portage\/sys-libs\/glibc-2.20-r2\/work\/glibc-2.20\/string\/strdup.c:42\r\n\r\nSUMMARY: AddressSanitizer: heap-buffer-overflow \/var\/tmp\/portage\/app-benchmarks\/siege-3.1.0\/work\/siege-3.1.0\/src\/init.c:263 load_conf\r\nShadow bytes around the buggy address:\r\n0x0c047fff9aa0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\r\n0x0c047fff9ab0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\r\n0x0c047fff9ac0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\r\n0x0c047fff9ad0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\r\n0x0c047fff9ae0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\r\n=>0x0c047fff9af0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa[01]fa\r\n0x0c047fff9b00: fa fa 03 fa fa fa fd fd fa fa fd fa fa fa fd fd\r\n0x0c047fff9b10: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fd\r\n0x0c047fff9b20: fa fa fd fd fa fa fd fa fa fa fd fa fa fa fd fa\r\n0x0c047fff9b30: fa fa fd fa fa fa fd fd fa fa fd fa fa fa fd fa\r\n0x0c047fff9b40: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fd\r\nShadow byte legend (one shadow byte represents 8 application bytes):\r\nAddressable: 00\r\nPartially addressable: 01 02 03 04 05 06 07\r\nHeap left redzone: fa\r\nHeap right redzone: fb\r\nFreed heap region: fd\r\nStack left redzone: f1\r\nStack mid redzone: f2\r\nStack right redzone: f3\r\nStack partial redzone: f4\r\nStack after return: f5\r\nStack use after scope: f8\r\nGlobal redzone: f9\r\nGlobal init order: f6\r\nPoisoned by user: f7\r\nContainer overflow: fc\r\nArray cookie: ac\r\nIntra object redzone: bb\r\nASan internal: fe\r\nLeft alloca redzone: ca\r\nRight alloca redzone: cb\r\n==488==ABORTING<\/span><\/pre>\n
Affected version:<\/strong>
\n3.1.0 (and maybe past versions).<\/p>\n
Fixed version:<\/strong>
\nNot available.<\/p>\n
Commit fix:<\/strong>
\nNot available.<\/p>\n
Credit:<\/strong>
\nThis bug was discovered by Agostino Sarubbo of Gentoo.<\/p>\n
Timeline:<\/strong>
\n2015-06-09: bug discovered
\n2015-06-10: bug reported privately to upstream
\n2015-07-13: no upstream response
\n2015-07-14: blog post about the issue<\/p>\n
Permalink:<\/strong>
\nhttp:\/\/blogs.gentoo.org\/ago\/2015\/07\/14\/siege-off-by-one-in-load_conf<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"
Description: Siege is an http load testing and benchmarking utility. During the test of a webserver, I hit a segmentation fault. I recompiled siege with ASan and it clearly show an off-by-one in load_conf(). The issue is reproducible without passing … Continue reading →<\/span><\/a><\/p>\n","protected":false},"author":140,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"spay_email":"","jetpack_publicize_message":"","jetpack_is_tweetstorm":false,"jetpack_publicize_feature_enabled":true},"categories":[12,10],"tags":[],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/p2EaBc-4t","_links":{"self":[{"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/posts\/277"}],"collection":[{"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/users\/140"}],"replies":[{"embeddable":true,"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/comments?post=277"}],"version-history":[{"count":37,"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/posts\/277\/revisions"}],"predecessor-version":[{"id":395,"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/posts\/277\/revisions\/395"}],"wp:attachment":[{"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/media?parent=277"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/categories?post=277"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/tags?post=277"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}